More and more nations count on Internet voting, despite negative experiences with voting machines and warnings by security researchers. At the 31C3 (link: www.ccc.de) these are showing that the current technology has little to fend off attackers.

At the recent CCC congress in Hamburg Alex Haldermann of the University of Michigan reported about various problems in Internet voting – including in Estonia. The hackers were faced with two challenges: First, they could not as in previous tests investigate manipulable voting machines offline – and transform them, for example, into a Pacman machine. Secondly, interventions to ongoing online elections are sensitive. “As a security researcher you can not simply hack into a server during an election,” Halderman said. Too big is the risk that you would so sabotage a democratic election result.

But during a test run of a scheduled online election in Washington, the researchers were able to take control of the entire election data center and in this way to convince the authorities of the system imperfections. Because Estonia does not perform such tests, Haldermann’s team confines itself to an external analysis of the processes at the first independent study of Internet voting.

The electoral process in the Baltic States is complex: The the voter should remain anonymous to the online voting system and at the same time have the opportunity to verify the correctness of his vote. The Estonian officials have therefore chosen a digital two-envelope solution that is similar to the classic absentee ballot: A signature ensures that the vote actually comes from an electorate. The votes are counted but only if the votes are exempt from the personal signatures. The verification works via a mobile app that allows citizens to see their voting results again and to even change them. This is to prevent votes sale, but would also allow a Trojan which was foisted to a citizen to change the vote afterwards.

Blabbed password

Haldermann’s team found several key weaknesses in the system: for instance the counting computer is giving merely the result of the election and does not sufficiently document, how it came about. Although the responsible parties have taken many security measures to protect the counting computer, but according to Haldermann these hardly withstand a serious attack of an state aggressor.

Thus, the security researchers discovered plenty of evidence of inadequate operational safety in the YouTube channel of the election officials of Estonia. Gaps are lurking in both the clients and the servers: so the central (or key) signatures were created on an obviously privately used computer, and in the videos you can see the access codes of the wireless network of the developers, and one video even shows the key to the server room sufficiently sharp to be able create a duplicate. During a vodka-soaked night a responsible was said to even even betray a key password.

But state organizations such as NSA might also try to compromise the counting maschine – either on the way from the manufacturer or by manipulated download images for the operating system. References to such concepts Edward Snowden delivered it was said.

Inconsistent code

The Baltic model is waking up desires in other states. So the cryptologist Tor Bjørstad in Hamburg reported about the online choice experiment in Norway. The Scandinavians had built a similar system as in Estonia in some constituencies for the parliamentary elections in 2013. They avoided some of the pitfalls of the model: So there were two different counting systems, which should ensure the correctness of the result. Despite long preparation, the project however failed to arouse the interest of technical experts. So Bjørstad was commissioned to examine more than 200,000 lines of JavaScript code for vulnerabilities almost single-handedly. A hopeless venture: “The code looked like typical enterprise applications,” the cryptologist summarizes. So encryption functions had been implemented twice, the code was not consistent. Five days before the election, a bug was discovered in the encryption system – still the voting could not be performed. Despite the apparently successful test run, the experiment is finished: The 2013 newly elected government had no interest in continuing the project of their predecessors. (Thorsten Kleinz)

Estonia is the first and only country that allows internet voting in political elections and referendums. Researchers now indicate fundamental risks.

Just two weeks before the European elections occurred, an international team of independent IT security experts addressed the public and pointed out fundamental risks in Estonian internet voting system. The experts consider the security flaws so serious that they recommend to put the system out of service immediately and return to elections with paper ballots.

Estonia is the first and only country that allows internet voting in political elections and referendums. Approximately 20 to 25 percent of the voters make use of this possibility. Developed by domestic firms the system is used in national and local elections and is to be used also in the European elections on 25 May 2014.

Lax security function, sufficient transparency

The arrangements for functional safety are lax, contradictory, are not sufficiently transparent for credible count and also as the software shows serious gaps against attacks from the outside, is the verdict of the team around Alex Halderman at the University of Michigan as well as the security researcher Harri Hursti, Jason Kitcat of the Open Rights Group and the election observer Maggie MacAlpine. All four had participated as election observers in the Estonian local elections last year.

“We have seen no closed, fully documented procedure for the care of the backend systems for these online elections,” Hursti complained. “These computers can be easily infiltrated by criminals or foreign hackers and undermine the security of the entire system.” Critical software would be downloaded via unsecured Internet connections, secret passwords and PINs under the supervision of video cameras would be given and the distribution of voting software be made to the citizens on unsecured computers.

Blind trust

“The Estonian Internet voting system blindly trusts the choice of servers and computers of voters,” Alex Halderman sums up his criticism; ‘both could present an attractive target to state attackers”. Together with two graduate students, the e-voting expert modeled at the University of Michigan the Estonian electoral system with the software used in the elections in 2013 in the laboratory by its own account and studied various attack scenarios. In a scenario they succeeded to unnoticedly steal votes with malware on the computer of the voter in spite of the protection by electronic ID card and smart phone verification. With another scenario it could be shown, Halderman reported, that malware attacks on the counting server could be possible which would influence the official results in the desired manner. The results of the tests will be published on a dedicated website. (Richard Sietmann)